[Snort-users] packet loss

Jose Maria Lopez jkerouac at ...12346...
Wed Sep 29 13:25:08 EDT 2004

El mar, 28 de 09 de 2004 a las 16:13, Larry Wichman escribió:
> In the course of my testing of Snort I have averaged about 40% packet
> loss. I am running Snort on Fedora. The segment I am monitoring is 100
> mb and is very busy. Does anyone have any recommendations for tuning
> Snort to not drop so many packets? Is there any recommendations for
> hardware? The CPU is running at about 40% and the memory looks fine. 
> ~Larry

First thing you should do it's to check the rules you are
using and remove the ones that don't apply to your system
or are not useful to you. Tunning the rules will give you
a performance boost.

Second thing it's logging in binary format instead of logging
in ascii format. You can use then barnyard to generate the
logs in ascii format or log to a database. That will be another
huge performance boost.

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

More information about the Snort-users mailing list